Nearly 200 Cisco routers infected with SYNful Knock
Cisco and ecosystem partner Shadowserver have so far detected nearly 199 routers compromised with the SYNful Knock malware, but Australia has so far escaped infection.
Security intelligence provider Shadowserver revealed on its blog that the two companies have so far identified 199 unique IP addresses matching SYNful Knock behaviour.
SYNful Knock is a router implant designed to replace router firmware with rogue firmware that gives attackers backdoor access to affected devices, even across equipment reboots.
The malware was originally discovered by Mandiant’s FireEye and detected on an initial 14 routers in four countries.
As of an analysis conducted on Sunday, there have now been potential SYNful Knock detections in 31 countries, Shadowserver said. The largest number of compromised routers are in the US (65), followed by India (12) and the Russian Federation (11).
“It is important to stress the severity of this malicious activity. Currently, Shadowserver believes that any machine that responds to this scan is potentially compromised. Compromised routers should be identified and remediated as a top priority,” Shadowserver said in the blog post.
To help avoid infection, Cisco is recommending that enterprises take steps to harden Cisco devices against attacks; implement instrument-based network and device integrity monitoring; and monitor their networks for SYNful knock activity.
The silent cyberthreat lurking in mismanaged tokens
It took years of painful breaches for organisations to recognise the importance of secure...
Excite Cyber makes cybersecurity predictions for 2026
Cybersecurity company Excite Cyber has released some trends and predictions for the coming year...
Exposure management starts with identity
The arduous, unglamorous and often invisible work of remediating Active Directory issues lacks...
